Yahoo has been resetting email accounts that were targeted in an attack apparently aimed at collecting information from people's recently sent messages, the company said.
The list of usernames and passwords used for the attack was likely collected when another company's database was breached, Jay Rossiter, a Yahoo senior vice president, said in a blog post. He didn't name the third party or say how many accounts were affected.
"We are working with federal law enforcement to find and prosecute the perpetrators responsible for this attack," Rossiter wrote.
The hackers used a malicious software program to access Mail accounts with the stolen usernames and passwords, he wrote.
Free email services with large user bases from companies like Yahoo, Google and Microsoft are a rich target for hackers, who use compromised accounts to deliver spam, launch attacks on other users and collect information.
Rossiter didn't say when the attack occurred, and a Yahoo spokeswoman said the company could not share more information while the investigation is ongoing.
Yahoo said it was resetting passwords on the affected accounts and using second sign-in verification to let users resecure their accounts. The feature sends a one-time passcode to a user's phone that must be entered into a Web-based form to access the account.
Yahoo has also "implemented additional measures to block attacks against Yahoo's systems," Rossiter wrote.
He advised that users change their passwords regularly and not reuse the same password for their Yahoo Mail on other Web services.
"We regret this has happened and want to assure our users that we take the security of their data very seriously," Rossiter wrote.
Send news tips and comments to email@example.com. Follow me on Twitter: @jeremy_kirk
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.